Cyber Threat Study Highlights Mid-Market Weak Spots

Cybersecurity Awareness Month Information Series

4 October, 2016

Cybercrime has become prolific. The complexity of attacks and the armies of threat actors driving those attacks has morphed so quickly that today reported breach events dominate daily news headlines. Perhaps more troubling though, are the numerous unreported security events.

We’re three-quarters of the way through the year and already hackers have decimated cyber-heist records. From the Panama Papers hack (which publicly released more 11 million sensitive documents from global law firm Mossack Fonseca), to the DNC email hack (which leaked 20,000 emails), to the Yahoo email hack (with 500 million user accounts compromised), breach events are yielding staggering results.

Even in summary, this mid-year review is a sobering reality check. What’s more frightening is what’s revealed when we go deeper than the headlines; sure, it’s alarming that major multi-national corporations have fallen victim to attack. If the big guys are struggling to defend their networks from attacks, what does that mean for small and mid-sized enterprise?

The truth is, businesses are scrambling to better understand what their unique risk profile looks like and how they can defend against cyber-attacks. Small and mid-sized organizations now represent more than half of security incidents that result in data loss. Unfortunately for businesses operating in this space, they’ve become a popular attack target.

Unlike their larger peers, mid-sized enterprise often lacks the resources and budget required to maintain the robust defenses required to defend against today’s complex attacks.

However, this year’s cases demonstrate that even if you can afford and support teams and technologies to fortify defenses, bad guys will surely find a way to get into your network.

Healthcare organizations, investment firms, credit unions, law firms, retail outfits and even the DNC itself all find themselves in the crosshairs as mid-sized organizations. While larger outfits grab the headlines, buried in the news are stories about a smaller hospital recovering a disabled system after a ransomware attack, or a hotel scrambling to reassure patrons that their cards weren’t compromised as part of a newly discovered data breach. Those kinds of stories give a glimpse into why mid-size enterprise now accounts for more than half of reported breaches.

Government and regulatory bodies, recognizing the vital role SMB plays in regional and global economies, are increasing their focus, defining new frameworks and audit processes to help ensure businesses remain compliant with governance measures, and therefore, are better prepared for cyber-attacks.

Emerging compliance requirements and sophisticated cyber-attacks further complicate the situation that SMB’s already find themselves in when it comes to cybersecurity. At the center of the storm lives one fundamental reality – technology simply isn’t enough.

eSentire focuses on mid-sized enterprise, protecting clients with a highly customized, high-touch, eyes-on-glass service. Our clients aren’t unlike the organizations profiled in many of today’s breach stories: they often have limited funds and internal resources available to manage cybersecurity programs themselves. Usually they will already have various security technologies in place.

When an organization becomes an eSentire client, significant time is spent ensuring that appropriate policies are in place and that a network is ‘hygienic’. Whether large or small, a common characteristic shared by all clients is the likelihood that they’ll be targeted for attack. A notable, and significant difference is that while larger organizations may find themselves defending against highly sophisticated attacks, many small and mid-sized organizations still struggle with rudimentary threats.

As part of our own industry profiling initiatives, eSentire commissioned a study analyzing its own data of all incidents actioned by its Security Operations Center (SOC) from January 2014 to January 2016. What the study reveals is that contrary to popular opinion (driven mostly by mainstream media), the greatest risk facing mid-sized enterprise isn’t coming from sophisticated, targeted threats. The most common vectors affecting organizations in the small to mid-size space are rudimentary, unsophisticated attacks.

Exploring the Data: Visible Trends

Compromises: The rate of incidents being opened for compromised assets (or potential compromise) has been steadily trending downwards since 2014. This covers all Payload & Blacklist categories. As well, there are some changes to the type of incidents representing compromises:

Payload Execution: Most incidents pertaining to payloads downloaded to an asset are now likely to be executed automatically during the attack; in 2014 many payloads did not have automatic execution as a higher proportion were delivered via tricking a user into a download rather than via an exploit kit.

Blacklisting: Incidents opened for a compromise are now less likely to be partially mitigated by a blacklist rule than they were in 2014.

Spreading: Most Incidents opened for a compromised asset still do not automatically spread internally, but the percentage as compared to the total number of compromise incidents has been rising.

Spyware & Adware: Prior to June 2014, we didn't have an incident category for spyware, and adware/spyware were all just adware. The frequency of the combined risk from these categories has been trending upwards through the tail end of 2015.

Recommendations

Easy Wins & Low Hanging Fruit

As we examine the data, four common types of security incident keep showing up as heavy hitters in the SOC over and over again regardless of what month we look at: Brute Force, Exploit Attempts, Security Advice (General), and Unusual Situation (General). These are overwhelmingly frequent security incidents, but they aren't particularly exciting and almost all of them could be handled by automated defenses instead of waiting for attention from a human in the SOC. Below, we discuss some ways to proactively stop these incidents at the door before they escalate to the point where we need to intervene with an analyst in the SOC.

About a quarter of all incidents opened by the SOC either provide generic recommendations on how to implement better security hygiene or to track situations that we consider unusual and don't know how to explain without feedback from you. One of the easiest ways to improve our ability to protect you is to respond to these alerts and get your help desk to conduct a quick investigation of your own when the SOC sends an alert about unusual activity to look into. For clients who routinely respond to these alerts, we rapidly build up a much better picture of what is going on within their environment and can identify and investigate suspicious behavior. For example, if we open an incident to notify a client about SSH activity within their network, a response to confirm whether that activity was expected or not helps us focus on situations that require more thorough, immediate attention. If the client doesn’t respond, our default operating policy is to filter the situation from our SOC's radar for 24 hours after sending the alert. What’s worse is that in unusual situations, without client response we have no way to baseline the normal behavior of the network and can't identify threats unless something clearly malicious happens or a signature-based rule fires.

Brute ForceIncident Type(s): Brute Force Attack Bypassing Perimeter

Consistently, around a third of all incidents opened by our SOC describe intervention in a preventable Brute Force situation that originated as a result of poor perimeter defenses. Generally speaking, a remote login service exposed to the Internet without a perimeter configured to automatically block these sorts of attacks, this situation will frequently occur. For clients that do not expose services or protect them with good perimeter defenses, the number of incidents in this category is almost nil. For those who leave a service exposed, we generally intervene in dozens or more of these situations each month. While our manual intervention does provide a layer of protection, it is much slower than an automated response and should be a layer of last resort after all possible automated perimeter controls have failed to detect the Brute Force attack. If you need to run a service that allows remote logins and/or you see a bunch of these alerts from us, there are a number of things that can be done to drastically reduce exposure:

Implement two factor authentication.

Implement whitelist-based access control, only allowing the IPs that need to access the system to do so.

Rate limit incoming connections to these services. There's generally no reason for anyone to open 30 simultaneous connections to your RDP service, or to allow a single IP to try and login 5 times in a minute, so your firewall should not allow it.

Exploit AttemptsIncident Type(s): Service Exploit Attempt

As can be expected, exposed service ports through the firewall present your 'clean', internal network to the 'dirty' public Internet (websites, remote access portals, etc.), and those exposed services instantly become targets for attacks of opportunity. This type of incident remains one of the most common security situations our SOC intervenes in. This type of exposure represents the vast majority (over 99%) of all SOC incidents opened for Exploit Attempts. Keeping exposed services up to date with patches is a given, but here are some easy ways to beef up your perimeter and reduce the number of these incidents getting through:

As much as possible, limit the number of internet facing services hosted within the main network. Instead, host public services such as websites that have no sensitive information in them on a separate network that doesn't connect to sensitive internal resources (DMZ, third party hosting, etc.).

Implement application-based firewalls for services that need to be exposed to the internet. Only allow traffic thought to be clean to connect to the services, rather than just exposing the port to the public Internet.

Keep awareness of what content should be on systems hosting such services and any unauthorized changes to content via tools such as tripwire.

Reduce the impact of compromises by making it trivial to restore the system to a clean working state after unauthorized changes (i.e.: VM snapshots, regular backups of the website data ready to push, etc.).

If you've already dealt with the easy wins and/or don't expose vulnerable services to the public Internet, this bucket, on average, represents the biggest area of risk for our clients. These incidents are usually opened as the result of users visiting attack web sites and getting infected, either via an exploit kit or through some sort of phishing/social engineering attack targeting the end-user's credibility and lack of security awareness. There are some steps you can take that stop many of these incidents from getting off the ground and help protect your users from those that do:

Install basic security add-ons into your standard browser setup for your users. Here are some things that your IT group should include standard in your browser setup:

Ad-blockers: An overwhelming majority of the attacks we see start from ad-servers. It can be hard to hack a major website like Forbes or MSN, but it's far easier to introduce a compromise through an ad network to host an attack ad, and the major website will load it for you and help you hit a large audience.

NoScript/ScriptSafe: If you aren't running code by default, you aren't getting exploited by it. These plugins allow you granular control over what code runs when you open a website - you can allow what is needed for your website to run, and disable what isn't. The default package for your users should allow painless use scripts necessary for business websites, and disable everything else. If users need access, they can always enable it.

Plug-ins - Don't Use Them: Generally speaking, you shouldn't need things like Java or Flash plug-ins for most normal use, and running them by default drastically increases exposure. Disable plug-ins; if you have a few that you need for business reasons allow those explicitly and nothing else.

Endpoint application control: with the most recent version of Microsoft Windows, significant security functionality has been folded into the product. However, even with older versions of Windows, security offerings such as EMET may be used to limit the execution of unwanted code on the endpoint.

Education: While it can be difficult to establish, truly effective security requires a culture of security within the organization on top of the collection of gadgets and security technologies used to limit exposure. If everyone is aware of the reasons for the above add-ons and browser practices, and has had some basic training on spotting social engineering and phishing attacks, the organization becomes much more secure from these types of attacks.

After we've knocked out the above, the next most likely risk is users installing applications that flag as spyware or adware. These are often free applications that have some sort of legitimate business purpose, but you should be aware that the software is essentially paying for itself by exposing your users to security risks and/or exfiltration data off the system. If a paid solution exists for the purpose that doesn't serve ads or steal data, it's probably worth a couple dollars to close that security hole.

External ScansIncident Type(s): External Scan Crossing Perimeter

Scans of your perimeter happen pretty much all the time, and that's not really a problem or worth opening a security incident for if your firewall is doing what it's supposed to and dropping those inbound connections on the floor. We generally open incidents when a scan crosses through your firewall and starts to trigger alerts on your internal, 'clean' network - which often happens if you have configured port forwarding through your firewall. The easiest way to deal with this is to have a completely opaque firewall on the outside, and only allow incoming connections through to a designated DMZ if you absolutely must expose services. Never allow random IPs on the internet to establish inbound connections to your clean network.

The Stuff That's Barely a Blip

Active IntrusionsIncident Type(s): Active Intrusion

These are the rarest type of incidents we see, but they are the situations that everyone worries about - and there is no easy technology or solution that deals with them. The only way to really protect yourself is to be engaged in the security process and action all of the incidents you know about as fast as possible. If a criminal or other malicious actor gains access to your network and we can't lock them out or catch them in time, eventually, this type of incident is what happens next. When these situations occur, our general goal remains the same: contain the situation and limit the impact of the threat as much as possible. However, in these incidents, tools like Host Interceptor and Log Sentry by eSentire dramatically increase our effectiveness.

Denial of Service AttacksIncident Type(s): Denial of Service

While a common and easy way to shut down a public service, these sorts of attacks are generally not something most of our clients need to worry about. If you have some sort of publicly facing service that needs to be protected, it may be worth it to consider some sort of DOS protection technology as our ability to action an incident of this type targeting you is extremely limited. However, if we open an incident because you have a misconfigured service participating in an attacker's DOS attack against someone else, it's a good idea to fix that as fast as possible if you want to avoid being blacklisted.

Drawing Conclusions

Small and mid-sized organizations and their networks are regularly targeted with rudimentary attack vectors that are bypassing perimeter defenses. While sophisticated attack vectors are still a chief concern, if organizations fail to build defenses against basic attack vectors they won’t stand a chance in guarding themselves against highly sophisticated ones. That said, because of the continued effectiveness of rudimentary attack vectors, those same organizations may buckle before they have a chance to confront a sophisticated attack.

Cybercrime has become everyone’s problem; by extension cybersecurity is now everyone’s responsibility. Top-level leadership must lead by example, by understanding their organization’s unique risk profile and constantly working to bolster the defenses when attack vectors that bypass them are discovered (through employee awareness, appropriate security technology and continuous monitoring).

eSentire Media Contacts

Eldon Sprickerhoff

Founder & Chief Security Strategist

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.